@elizaos/app-core 2.0.0-alpha.209 → 2.0.0-alpha.210

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elizaos/app-core",
-  "version": "2.0.0-alpha.209",
+  "version": "2.0.0-alpha.210",
   "description": "Shared application core for elizaOS white-label agent apps.",
   "type": "module",
   "license": "MIT",
@@ -477,7 +477,7 @@
     "@capacitor/keyboard": "8.0.3",
     "@capacitor/preferences": "^8.0.1",
     "@clack/prompts": "^1.0.0",
-    "@elizaos/agent": "^2.0.0-alpha.209",
+    "@elizaos/agent": "^2.0.0-alpha.210",
     "@elizaos/app-companion": "^0.0.0",
     "@elizaos/app-elizamaker": "^0.0.0",
     "@elizaos/app-lifeops": "^0.0.0",
@@ -486,9 +486,9 @@
     "@elizaos/app-task-coordinator": "^0.0.0",
     "@elizaos/app-training": "^0.0.1",
     "@elizaos/app-vincent": "^0.0.0",
-    "@elizaos/core": "^2.0.0-alpha.209",
-    "@elizaos/shared": "^2.0.0-alpha.209",
-    "@elizaos/ui": "^2.0.0-alpha.209",
+    "@elizaos/core": "^2.0.0-alpha.210",
+    "@elizaos/shared": "^2.0.0-alpha.210",
+    "@elizaos/ui": "^2.0.0-alpha.210",
     "@radix-ui/react-checkbox": "^1.3.3",
     "@radix-ui/react-dialog": "^1.1.15",
     "@radix-ui/react-dropdown-menu": "^2.1.16",

package/packages/app-core/src/api/n8n-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"n8n-routes.d.ts","sourceRoot":"","sources":["../../../../../src/api/n8n-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,KAAK,OAAO,EAAkB,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE5E,YAAY,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEnD;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,IAAI,GAAG,UAAU,GAAG,SAAS,CAAC;AAE3D,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,gBAAgB,CAAC;IACzB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,eAAe,CAAC;IAC1B;;;OAGG;IACH,WAAW,EAAE,cAAc,CAAC;IAC5B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE;QACN,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,gBAAgB,CAAC;KAC3B,CAAC;CACH;AAGD,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AACtD,MAAM,MAAM,qBAAqB,GAAG,eAAe,CAAC;AAEpD,MAAM,WAAW,eACf,SAAQ,gBAAgB,EACtB,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,mBAAmB,CAAC;IAC5B,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,cAAc,CAAC;CACtC;AAkBD,sEAAsE;AACtE,wBAAgB,+BAA+B,IAAI,IAAI,CAEtD;AA0VD,wBAAsB,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CA8D5E;AAID,eAAO,MAAM,qBAAqB,wBAAkB,CAAC"}
+{"version":3,"file":"n8n-routes.d.ts","sourceRoot":"","sources":["../../../../../src/api/n8n-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,KAAK,OAAO,EAAkB,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE5E,YAAY,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEnD;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,IAAI,GAAG,UAAU,GAAG,SAAS,CAAC;AAE3D,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,gBAAgB,CAAC;IACzB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,eAAe,CAAC;IAC1B;;;OAGG;IACH,WAAW,EAAE,cAAc,CAAC;IAC5B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE;QACN,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,gBAAgB,CAAC;KAC3B,CAAC;CACH;AAGD,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AACtD,MAAM,MAAM,qBAAqB,GAAG,eAAe,CAAC;AAEpD,MAAM,WAAW,eACf,SAAQ,gBAAgB,EACtB,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,mBAAmB,CAAC;IAC5B,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,cAAc,CAAC;CACtC;AAkBD,sEAAsE;AACtE,wBAAgB,+BAA+B,IAAI,IAAI,CAEtD;AAgWD,wBAAsB,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CA8D5E;AAID,eAAO,MAAM,qBAAqB,wBAAkB,CAAC"}

package/packages/app-core/src/api/n8n-routes.js

@@ -201,9 +201,15 @@ function resolveProxyTarget(ctx, subpath, sidecar, native) {
     };
     if (apiKey)
         headers["X-N8N-API-KEY"] = apiKey;
+    // n8n serves TWO parallel workflow APIs:
+    //   /rest/workflows   — internal UI endpoint, requires JWT cookie auth.
+    //   /api/v1/workflows — public API, accepts X-N8N-API-KEY.
+    // We provision an X-N8N-API-KEY during boot, so the public API is the
+    // only path that authenticates correctly. Hitting /rest/ was returning
+    // 401 "Unauthorized" even with a valid key — that's the wrong endpoint.
     return {
         target: {
-            url: `${host.replace(/\/+$/, "")}/rest/workflows${subpath}`,
+            url: `${host.replace(/\/+$/, "")}/api/v1/workflows${subpath}`,
             headers,
         },
     };

package/packages/app-core/src/services/n8n-sidecar.d.ts

@@ -62,7 +62,22 @@ export interface N8nSidecarConfig {
     startPort?: number;
     /** Bind host for the child. Default 127.0.0.1. */
     host?: string;
-    /** Binary used to run n8n. Default "bunx". */
+    /**
+     * Binary used to run n8n. Default "npx".
+     *
+     * Why not "bunx"? bunx invokes n8n through Bun's runtime / shim, which
+     * fails two different ways depending on the n8n version:
+     *   1. n8n@1.70.x: bunx resolves `node` via $PATH before reading the
+     *      package's `engines` field. On macOS with Homebrew that's v24,
+     *      which 1.70 rejects ("Node.js version 24.5.0 is currently not
+     *      supported").
+     *   2. n8n@1.108.x: bunx runs n8n under Bun's runtime which does not
+     *      fully implement the `reflect-metadata` + TSyringe decorator
+     *      pattern n8n relies on for DI, failing at bootstrap with
+     *      "[DI] ErrorReporter is not decorated with Service".
+     * `npx --yes` uses npm's cache and execs n8n under the expected Node
+     * runtime, which works across every n8n + Node combo we care about.
+     */
     binary?: string;
     /** State directory root; owner email/password + sqlite live here. */
     stateDir?: string;
@@ -221,13 +236,42 @@ export declare class N8nSidecar {
      */
     private validateApiKey;
     /**
-     * Provision a personal API key via n8n's internal REST endpoint. With
-     * user management disabled, n8n accepts unauthenticated calls to
-     * `/rest/me/api-keys`. If the pinned version rejects this flow (newer
-     * n8n versions moved to an auth-required flow), we return null and
-     * the caller must fall back to the JWT path documented in-file.
+     * Provision an API key by driving n8n's owner-setup → login → api-key flow.
+     *
+     * n8n ≥ 1.90-ish removed the anonymous `/rest/me/api-keys` endpoint. The
+     * supported path now requires:
+     *   1. POST /rest/owner/setup   { email, firstName, lastName, password }
+     *      – returns `Set-Cookie: n8n-auth=<JWT>` when no owner exists yet.
+     *   2. POST /rest/login         { emailOrLdapLoginId, password }
+     *      – returns the same cookie on restarts, once the owner is set.
+     *   3. GET  /rest/api-keys/scopes
+     *      – enumerates the scopes the current role is allowed to grant.
+     *   4. POST /rest/api-keys      { label, scopes, expiresAt: null }
+     *      – returns `data.rawApiKey` which stays valid across restarts until
+     *        explicitly revoked.
+     *
+     * Credentials are persisted to `{stateDir}/owner.json` (mode-600) so the
+     * same login works on every subsequent boot; we never re-generate. Password
+     * is random per install — there's no user-facing n8n UI flow in Milady, so
+     * storing it here is safe for a local single-user sidecar.
      */
     private provisionApiKey;
+    /**
+     * Load owner credentials from `{stateDir}/owner.json`, or generate a fresh
+     * pair and persist them mode-600. The email is deterministic (matches the
+     * label we show to the user); the password is a long random token.
+     */
+    private loadOrCreateOwnerCreds;
+    /**
+     * Returns a `Cookie: n8n-auth=<jwt>` string by either creating the owner
+     * (first boot) or logging in (subsequent boots). Returns null if both
+     * fail so the caller can back off gracefully.
+     */
+    private acquireOwnerCookie;
+    /** List scopes the current role may grant when creating an API key. */
+    private fetchApiKeyScopes;
+    /** 48 bytes of base64url entropy — ~64 chars, far above n8n's min length. */
+    private generateRandomPassword;
     /** Stop the sidecar. Idempotent. */
     stop(): Promise<void>;
     /** Public helper so callers can gate feature activation on running state. */

package/packages/app-core/src/services/n8n-sidecar.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"n8n-sidecar.d.ts","sourceRoot":"","sources":["../../../../../src/services/n8n-sidecar.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAqB,KAAK,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAY3E,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,GAAG,OAAO,CAAC;AAE1E,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,gBAAgB,CAAC;IACzB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB;;;;;;;OAOG;IACH,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;;;;OASG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,wDAAwD;IACxD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,+DAA+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iFAAiF;IACjF,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;IAClD,+DAA+D;IAC/D,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,QAAQ,KAAK,IAAI,CAAC;CAC7D;AAED,MAAM,WAAW,cAAc;IAC7B,+EAA+E;IAC/E,KAAK,CAAC,EAAE,OAAO,SAAS,CAAC;IACzB,8EAA8E;IAC9E,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,sDAAsD;IACtD,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAC1C;;;OAGG;IACH,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,KAAK,IAAI,CAAC;IACxD;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,IAAI,EAAE,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;IACnD,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;CACxC;AAED,KAAK,QAAQ,GAAG,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;AAmMjD,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,IAAI,CAA2B;IACvC,OAAO,CAAC,KAAK,CAQX;IACF,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAM;IAC/C,sFAAsF;IACtF,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,KAAK,CAA6B;IAC1C,8EAA8E;IAC9E,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,SAAS,CAA4B;IAC7C,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,iBAAiB,CAAS;IAClC;;;;OAIG;IACH,OAAO,CAAC,eAAe,CAAiB;gBAE5B,MAAM,GAAE,gBAAqB,EAAE,IAAI,GAAE,cAAmB;IA2BpE,QAAQ,IAAI,eAAe;IAI3B;;;OAGG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;;;;;;;;OASG;IACH,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,IAAI;IAiC1C;;;OAGG;IACH,OAAO,CAAC,cAAc;IAiBtB,SAAS,CAAC,EAAE,EAAE,QAAQ,GAAG,MAAM,IAAI;IAanC,OAAO,CAAC,IAAI;IAgBZ,OAAO,CAAC,QAAQ;IAKhB;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsB5B;;;OAGG;YACW,aAAa;YA2Fb,UAAU;IA4ExB,qEAAqE;IACrE,OAAO,CAAC,YAAY;IAapB;;;;;OAKG;IACH,OAAO,CAAC,2BAA2B;IAgCnC,OAAO,CAAC,SAAS;IAwBjB;;;;;OAKG;YACW,cAAc;IAkC5B;;;;;;;;;;;OAWG;YACW,YAAY;IAc1B,OAAO,CAAC,UAAU;YAIJ,mBAAmB;YAOnB,aAAa;IAc3B;;;OAGG;YACW,cAAc;IAa5B;;;;;;OAMG;YACW,eAAe;IA6B7B,oCAAoC;IAC9B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB3B,6EAA6E;IAC7E,SAAS,IAAI,OAAO;IAMpB,OAAO,CAAC,WAAW;YAIL,WAAW;YAOX,YAAY;YAYZ,aAAa;IAI3B;;;;;;;;;OASG;YACW,UAAU;IAmCxB,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,qBAAqB;CAM9B;AAmBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,MAAM,GAAE,gBAAqB,GAAG,UAAU,CAYvE;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,GAAE,gBAAqB,GAC5B,OAAO,CAAC,UAAU,CAAC,CAKrB;AAED;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,UAAU,GAAG,IAAI,CAElD;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAgBvD"}
+{"version":3,"file":"n8n-sidecar.d.ts","sourceRoot":"","sources":["../../../../../src/services/n8n-sidecar.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAqB,KAAK,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAY3E,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,GAAG,OAAO,CAAC;AAE1E,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,gBAAgB,CAAC;IACzB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB;;;;;;;OAOG;IACH,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;;;;OASG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,wDAAwD;IACxD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,+DAA+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iFAAiF;IACjF,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;IAClD,+DAA+D;IAC/D,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,QAAQ,KAAK,IAAI,CAAC;CAC7D;AAED,MAAM,WAAW,cAAc;IAC7B,+EAA+E;IAC/E,KAAK,CAAC,EAAE,OAAO,SAAS,CAAC;IACzB,8EAA8E;IAC9E,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,sDAAsD;IACtD,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAC1C;;;OAGG;IACH,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,KAAK,IAAI,CAAC;IACxD;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,IAAI,EAAE,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;IACnD,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;CACxC;AAED,KAAK,QAAQ,GAAG,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;AAsOjD,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,IAAI,CAA2B;IACvC,OAAO,CAAC,KAAK,CAQX;IAKF,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAO;IAChD,sFAAsF;IACtF,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,KAAK,CAA6B;IAC1C,8EAA8E;IAC9E,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,SAAS,CAA4B;IAC7C,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,iBAAiB,CAAS;IAClC;;;;OAIG;IACH,OAAO,CAAC,eAAe,CAAiB;gBAE5B,MAAM,GAAE,gBAAqB,EAAE,IAAI,GAAE,cAAmB;IA2BpE,QAAQ,IAAI,eAAe;IAI3B;;;OAGG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;;;;;;;;OASG;IACH,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,IAAI;IAiC1C;;;OAGG;IACH,OAAO,CAAC,cAAc;IAiBtB,SAAS,CAAC,EAAE,EAAE,QAAQ,GAAG,MAAM,IAAI;IAanC,OAAO,CAAC,IAAI;IAgBZ,OAAO,CAAC,QAAQ;IAKhB;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsB5B;;;OAGG;YACW,aAAa;YA2Fb,UAAU;IAqFxB,qEAAqE;IACrE,OAAO,CAAC,YAAY;IAapB;;;;;OAKG;IACH,OAAO,CAAC,2BAA2B;IAgCnC,OAAO,CAAC,SAAS;IAwBjB;;;;;OAKG;YACW,cAAc;IAkC5B;;;;;;;;;;;OAWG;YACW,YAAY;IAc1B,OAAO,CAAC,UAAU;YAIJ,mBAAmB;YAOnB,aAAa;IAc3B;;;OAGG;YACW,cAAc;IAa5B;;;;;;;;;;;;;;;;;;;OAmBG;YACW,eAAe;IAkE7B;;;;OAIG;YACW,sBAAsB;IAuDpC;;;;OAIG;YACW,kBAAkB;IAsEhC,uEAAuE;YACzD,iBAAiB;IAkB/B,6EAA6E;IAC7E,OAAO,CAAC,sBAAsB;IAQ9B,oCAAoC;IAC9B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB3B,6EAA6E;IAC7E,SAAS,IAAI,OAAO;IAMpB,OAAO,CAAC,WAAW;YAIL,WAAW;YAOX,YAAY;YAYZ,aAAa;IAI3B;;;;;;;;;OASG;YACW,UAAU;IAmCxB,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,qBAAqB;CAM9B;AAmBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,MAAM,GAAE,gBAAqB,GAAG,UAAU,CAYvE;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,GAAE,gBAAqB,GAC5B,OAAO,CAAC,UAAU,CAAC,CAKrB;AAED;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,UAAU,GAAG,IAAI,CAElD;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAgBvD"}

package/packages/app-core/src/services/n8n-sidecar.js

@@ -42,21 +42,33 @@ import os from "node:os";
 import path from "node:path";
 import { logger } from "@elizaos/core";
 // ── Implementation ───────────────────────────────────────────────────────────
-// n8n@1.70.0 declared `engines.node: ">=18.17 <= 22"` — incompatible with
-// Node 24.x which ships with current Homebrew and with the Electrobun runtime.
-// 1.99.0+ widened to ">=20.19 <= 24.x". Pinning the last 1.x release so the
-// DB schema stays on a supported migration path and Node 24 hosts can boot.
-// Validated via `npm view n8n@<v> engines.node`. Bumping below 1.99 will break
-// every desktop whose system Node is 23+.
-const DEFAULT_N8N_VERSION = "1.108.0";
+// n8n version selection — this range is narrower than it looks.
+//
+//   1.70.x  declares `engines.node: ">=18.17 <= 22"` — rejects Node 23/24
+//           (which is what Homebrew ships). Fails at boot with
+//           "Node.js version 24.5.0 is currently not supported".
+//   1.99.0  widens to ">=20.19 <= 24.x" and boots cleanly under Node 24 ✓
+//   1.100.0 same engines range, boots cleanly ✓
+//   1.108.0 has a DI-container bootstrap regression — throws
+//           "[DI] GlobalConfig is not decorated with Service" under every
+//           launcher (npx, npm install + node, bunx). Confirmed broken on
+//           both Node 22 and Node 24. See upstream n8n issue.
+//
+// 1.100.0 is the last version I verified end-to-end against Node 24 +
+// npx --yes on 2026-04-19. Bump only with a re-run of the smoke test in
+// docs/apps/n8n-sidecar.md. Validate `engines.node` via
+// `npm view n8n@<v> engines`.
+const DEFAULT_N8N_VERSION = "1.100.0";
 const DEFAULT_START_PORT = 5678;
 const DEFAULT_HOST = "127.0.0.1";
-const DEFAULT_BINARY = "bunx";
-// First-run `bunx n8n@<pinned>` downloads ~300MB before n8n can boot. A 60s
-// timeout was too aggressive — cold starts on typical home connections take
-// 60–120s just for the download. Bump to 180s so the first-run path reliably
-// lands inside the probe window on every desktop platform. Warm starts hit
-// the bunx cache and finish well under this budget.
+// Spawn n8n via `npx --yes n8n@<pinned>`. See `binary?` docs for why bunx
+// is broken (Node-version mismatch + Bun runtime breaks tsyringe decorators).
+const DEFAULT_BINARY = "npx";
+// First-run `npx n8n@<pinned>` downloads ~300MB of n8n + nodes into the
+// npm cache before boot. On a typical home connection that's 60–120s of
+// download plus 15–30s of n8n boot. Keep 180s so the first-run path
+// reliably lands inside the probe window on every desktop platform.
+// Warm starts hit the npm cache and finish well under this budget.
 const DEFAULT_PROBE_TIMEOUT_MS = 180_000;
 const DEFAULT_PROBE_INTERVAL_MS = 750;
 const DEFAULT_MAX_RETRIES = 3;
@@ -202,6 +214,28 @@ function fingerprint(secret) {
         return "***";
     return `${secret.slice(0, 4)}…${secret.slice(-2)} (len=${secret.length})`;
 }
+/**
+ * Extract the n8n-auth cookie from a `Response` for re-use on subsequent
+ * calls. Returns a ready-to-send `Cookie:` header value, or null if the
+ * response didn't set one. Tolerates fetch implementations that expose
+ * multiple Set-Cookie values through `getSetCookie()` (Node 20.18+) or
+ * a single joined `set-cookie` header (older runtimes and the test fetch
+ * mock we use in unit tests).
+ */
+function extractAuthCookie(res) {
+    const headers = res.headers;
+    const list = typeof headers.getSetCookie === "function"
+        ? headers.getSetCookie()
+        : ((headers.get("set-cookie") ?? "")
+            .split(/,(?=\s*[\w-]+=)/)
+            .filter((s) => s.length > 0));
+    for (const raw of list) {
+        const first = raw.split(";")[0]?.trim();
+        if (first?.startsWith("n8n-auth="))
+            return first;
+    }
+    return null;
+}
 function resolveConfig(config) {
     return {
         enabled: config.enabled ?? true,
@@ -230,7 +264,11 @@ export class N8nSidecar {
         retries: 0,
         recentOutput: [],
     };
-    static RECENT_OUTPUT_CAP = 40;
+    // 40 was too small — n8n's migration output alone is ~60 stdout lines on a
+    // cold boot, which evicts every preceding error/log from the buffer before
+    // the UI can read it. Sized to comfortably hold migrations + the api-key
+    // provisioning trace + a reasonable error tail.
+    static RECENT_OUTPUT_CAP = 200;
     /** Ring buffer of the child's recent stdout/stderr lines (see state.recentOutput). */
     recentOutput = [];
     child = null;
@@ -478,8 +516,10 @@ export class N8nSidecar {
     async spawnChild(port) {
         // n8n reads N8N_USER_MANAGEMENT_DISABLED to skip the owner-setup flow
         // on first boot; we pair it with a random owner email so no real user
-        // data is needed. Using `bunx n8n@<pinned>` avoids adding n8n as a
-        // package.json dep — bun caches the install globally.
+        // data is needed. Using `npx n8n@<pinned>` pulls from the shared npm
+        // cache and runs under the native Node runtime, which n8n's DI stack
+        // depends on (bunx breaks both the Node version check for 1.70 and the
+        // tsyringe decorator handling for 1.100+ — see `binary?` docs above).
         const env = {
             ...process.env,
             N8N_PORT: String(port),
@@ -495,7 +535,17 @@ export class N8nSidecar {
             DB_SQLITE_DATABASE: path.join(this.config.stateDir, "database.sqlite"),
         };
         const versioned = `n8n@${this.config.version}`;
-        const child = this.deps.spawn(this.config.binary, ["--", versioned, "start"], {
+        // Arg style depends on the launcher:
+        //   npx:  --yes <pkg> <args...>   (auto-confirm install prompt)
+        //   bunx: -- <pkg> <args...>       (still supported for manual overrides)
+        // Anything else is passed through as <pkg> <args...>.
+        const binaryBase = this.config.binary.split("/").pop() ?? this.config.binary;
+        const launcherArgs = binaryBase === "npx"
+            ? ["--yes", versioned, "start"]
+            : binaryBase === "bunx"
+                ? ["--", versioned, "start"]
+                : [versioned, "start"];
+        const child = this.deps.spawn(this.config.binary, launcherArgs, {
             env,
             stdio: ["ignore", "pipe", "pipe"],
             detached: false,
@@ -721,34 +771,209 @@ export class N8nSidecar {
         }
     }
     /**
-     * Provision a personal API key via n8n's internal REST endpoint. With
-     * user management disabled, n8n accepts unauthenticated calls to
-     * `/rest/me/api-keys`. If the pinned version rejects this flow (newer
-     * n8n versions moved to an auth-required flow), we return null and
-     * the caller must fall back to the JWT path documented in-file.
+     * Provision an API key by driving n8n's owner-setup → login → api-key flow.
+     *
+     * n8n ≥ 1.90-ish removed the anonymous `/rest/me/api-keys` endpoint. The
+     * supported path now requires:
+     *   1. POST /rest/owner/setup   { email, firstName, lastName, password }
+     *      – returns `Set-Cookie: n8n-auth=<JWT>` when no owner exists yet.
+     *   2. POST /rest/login         { emailOrLdapLoginId, password }
+     *      – returns the same cookie on restarts, once the owner is set.
+     *   3. GET  /rest/api-keys/scopes
+     *      – enumerates the scopes the current role is allowed to grant.
+     *   4. POST /rest/api-keys      { label, scopes, expiresAt: null }
+     *      – returns `data.rawApiKey` which stays valid across restarts until
+     *        explicitly revoked.
+     *
+     * Credentials are persisted to `{stateDir}/owner.json` (mode-600) so the
+     * same login works on every subsequent boot; we never re-generate. Password
+     * is random per install — there's no user-facing n8n UI flow in Milady, so
+     * storing it here is safe for a local single-user sidecar.
      */
     async provisionApiKey(host) {
+        const log = (msg) => {
+            // Route through both the central logger and the sidecar's recentOutput
+            // ring so operators can see the failure in /api/n8n/status even if the
+            // dev-server log rotates or gets lost. The strings never contain the
+            // raw API key (that's fingerprinted at the ensureApiKey callsite).
+            logger.warn(`[n8n-sidecar] ${msg}`);
+            this.recordOutput(`[provisionApiKey] ${msg}`);
+        };
         try {
-            const res = await this.deps.fetch(`${host}/rest/me/api-keys`, {
+            const owner = await this.loadOrCreateOwnerCreds();
+            const cookie = await this.acquireOwnerCookie(host, owner, log);
+            if (!cookie) {
+                log("acquireOwnerCookie returned null — cannot create api key");
+                return null;
+            }
+            const scopes = await this.fetchApiKeyScopes(host, cookie);
+            if (!scopes || scopes.length === 0) {
+                log("/rest/api-keys/scopes returned no scopes");
+                return null;
+            }
+            const res = await this.deps.fetch(`${host}/rest/api-keys`, {
                 method: "POST",
-                headers: { "content-type": "application/json" },
-                body: JSON.stringify({ label: "milady-sidecar" }),
+                headers: {
+                    "content-type": "application/json",
+                    cookie,
+                },
+                body: JSON.stringify({
+                    label: "milady-sidecar",
+                    scopes,
+                    expiresAt: null,
+                }),
                 signal: AbortSignal.timeout(5_000),
             });
             if (!res.ok) {
-                // 401/403/404 → endpoint disabled or moved; caller falls back.
+                const bodyText = await res.text().catch(() => "");
+                log(`api-key create failed: ${res.status} ${res.statusText}${bodyText ? ` — ${bodyText.slice(0, 200)}` : ""}`);
                 return null;
             }
             const body = (await res.json());
-            return (body.data?.rawApiKey ??
+            const key = body.data?.rawApiKey ??
                 body.data?.apiKey ??
                 body.rawApiKey ??
                 body.apiKey ??
-                null);
+                null;
+            if (!key) {
+                log("api-key create returned no rawApiKey in body");
+            }
+            return key;
+        }
+        catch (err) {
+            log(`provisionApiKey threw: ${err instanceof Error ? err.message : String(err)}`);
+            return null;
+        }
+    }
+    /**
+     * Load owner credentials from `{stateDir}/owner.json`, or generate a fresh
+     * pair and persist them mode-600. The email is deterministic (matches the
+     * label we show to the user); the password is a long random token.
+     */
+    async loadOrCreateOwnerCreds() {
+        const ownerPath = path.join(this.config.stateDir, "owner.json");
+        try {
+            const raw = await fs.readFile(ownerPath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (typeof parsed.email === "string" &&
+                typeof parsed.password === "string" &&
+                parsed.email.length > 0 &&
+                parsed.password.length > 0) {
+                return {
+                    email: parsed.email,
+                    firstName: typeof parsed.firstName === "string" ? parsed.firstName : "Milady",
+                    lastName: typeof parsed.lastName === "string" ? parsed.lastName : "Local",
+                    password: parsed.password,
+                };
+            }
         }
         catch {
+            /* fall through to generate fresh */
+        }
+        const password = this.generateRandomPassword();
+        const creds = {
+            email: "milady@milady.local",
+            firstName: "Milady",
+            lastName: "Local",
+            password,
+        };
+        try {
+            await fs.mkdir(this.config.stateDir, { recursive: true });
+            await fs.writeFile(ownerPath, JSON.stringify(creds, null, 2), {
+                mode: 0o600,
+            });
+            await fs.chmod(ownerPath, 0o600).catch(() => undefined);
+        }
+        catch (err) {
+            logger.warn(`[n8n-sidecar] failed to persist owner creds: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        return creds;
+    }
+    /**
+     * Returns a `Cookie: n8n-auth=<jwt>` string by either creating the owner
+     * (first boot) or logging in (subsequent boots). Returns null if both
+     * fail so the caller can back off gracefully.
+     */
+    async acquireOwnerCookie(host, owner, log = () => undefined) {
+        // First boot: owner does not exist yet, /rest/owner/setup returns 200.
+        // Subsequent boots: returns 400 "instance owner already setup"; we fall
+        // through to /rest/login.
+        const setup = await this.deps
+            .fetch(`${host}/rest/owner/setup`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({
+                email: owner.email,
+                firstName: owner.firstName,
+                lastName: owner.lastName,
+                password: owner.password,
+            }),
+            signal: AbortSignal.timeout(10_000),
+        })
+            .catch((err) => {
+            log(`owner/setup fetch threw: ${err instanceof Error ? err.message : String(err)}`);
             return null;
+        });
+        if (setup?.ok) {
+            const cookie = extractAuthCookie(setup);
+            if (cookie)
+                return cookie;
+            log("owner/setup 200 but no n8n-auth cookie in response");
+        }
+        else if (setup) {
+            const text = await setup.text().catch(() => "");
+            log(`owner/setup ${setup.status}${text ? ` — ${text.slice(0, 160)}` : ""}`);
+        }
+        const login = await this.deps
+            .fetch(`${host}/rest/login`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({
+                emailOrLdapLoginId: owner.email,
+                password: owner.password,
+            }),
+            signal: AbortSignal.timeout(10_000),
+        })
+            .catch((err) => {
+            log(`login fetch threw: ${err instanceof Error ? err.message : String(err)}`);
+            return null;
+        });
+        if (login?.ok) {
+            const cookie = extractAuthCookie(login);
+            if (cookie)
+                return cookie;
+            log("login 200 but no n8n-auth cookie in response");
+        }
+        else if (login) {
+            const text = await login.text().catch(() => "");
+            log(`login ${login.status}${text ? ` — ${text.slice(0, 160)}` : ""}`);
         }
+        return null;
+    }
+    /** List scopes the current role may grant when creating an API key. */
+    async fetchApiKeyScopes(host, cookie) {
+        try {
+            const res = await this.deps.fetch(`${host}/rest/api-keys/scopes`, {
+                method: "GET",
+                headers: { cookie },
+                signal: AbortSignal.timeout(5_000),
+            });
+            if (!res.ok)
+                return null;
+            const body = (await res.json());
+            return Array.isArray(body.data) ? body.data : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    /** 48 bytes of base64url entropy — ~64 chars, far above n8n's min length. */
+    generateRandomPassword() {
+        // crypto is Node 20+ global; fallback to Math.random if unavailable is
+        // intentionally not provided — insecure passwords are worse than a crash.
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const nodeCrypto = require("node:crypto");
+        return nodeCrypto.randomBytes(48).toString("base64url");
     }
     /** Stop the sidecar. Idempotent. */
     async stop() {